Cyberattack anatomies are a detailed outline of various attack methodologies, techniques, and tactics. This blog post will outline the anatomy of a recent smishing campaign identified by Fortra’s threat researchers.
The Smishing Attack
The smishing text contains a banking alert about a transaction being put on hold and urges the reader to visit the link if the transaction was not initiated by the recipient. Given that this is an unsolicited text message about an unknown transaction, combined with the urgent tone of the text, the user is likely to be tricked into clicking the phishing URL and visiting the malicious site.
SMS Sender Verification
Typically, one of the telltale signs of identifying a smishing attack is four-digit numbers because they indicate the use of email-to-text services. However, the attacker is using a standard complete number in this smishing campaign to bypass identification through this well-known detection technique.
Unlike how a sender’s emails are used to identify and filter against phishing attacks, smishing attempts can’t be blocked based on the sender’s phone number because phone numbers may get recycled and reused by future legitimate entities. Additionally, unlike phishing emails, phone numbers do not contain spelling and grammar mistakes that can be used to identify a suspicious source. These unique characteristics of phone numbers allow the attacker to further bypass security controls and distribute their initial text, leading to a higher success rate in reaching their intended victims.
Landing Page Analysis
The following screenshots were anonymized to protect the privacy of Fortra’s clients.
Fortra has identified a phishing kit that offers multiple variations of this landing page. These landing pages have been observed impersonating popular brands such as financial institutions, large retail chains, and mail service providers.
The initial landing page asks the user to enter their banking login information, luring them into compromising their credentials by providing them to the attacker. Upon clicking on the “Log In” button, the user is taken through a couple of pages that prompt them to provide sensitive Personally Identifiable Information (PII) such as their Social Security Number (SSN) and credit card number. The victim is lured into compromising their sensitive information which can expose them to the risk of identity theft, credit card fraud, and other malicious behaviors. In fact, compromised PII can even allow the attacker to craft highly advanced spear phishing campaigns that target the victim through the exploitation of their exposed PIIs and other sensitive data.
The attack chain ends with the adversary luring the victim into giving up their Multi-Factor Authentication (MFA) code. This lure is further strengthened by the security preference question at the bottom of the webpage, which not only helps to increase the legitimacy of the website but also tricks the user into a false sense of security. The attacker can then leverage the compromised MFA code, alongside the banking credentials shared previously by the user, to gain unauthorized access to the victim’s bank account and perform various malicious operations.
Suspicious URL Analysis
The smishing URL: https[:]//cancelbank29b[.]com
Unlike the landing page, the URL does not impersonate a specific brand or identity because the domain name refers to a generic “cancelbank”. The generic and vague domain name, in addition to the random string of numbers and letters “29b”, can help the user identify the suspicious URL and question the legitimacy of the URL’s destination.
Fortra conducted a WHOIS lookup query on the smishing URL which revealed ingenuine information.
A quick Google search demonstrated that the registrant’s name does not exist, and the registrant’s address is an empty parking lot. Additionally, the registrant’s phone number contains too many digits. These bogus details raise doubts about the legitimacy of the registrant, further alluding to the malicious motivations of the threat actor.
However, the query revealed the registrant’s email address which Fortra utilized to perform a reverse WHOIS lookup to identify the following additional domains that the attacker may be operating under:
Protect Yourself from Social Engineering with Better Cybersecurity Training
In conclusion, social engineering attacks can be highly advanced and sophisticated while taking on many forms beyond the traditional phishing email. This smishing campaign serves as an example of the diverse threats that can present challenges to users when identifying and recognizing signs of a cyberattack. Hence, security awareness and training programs are vital for strengthening cybersecurity defenses and preventing such attacks. Fortra’s PhishLabs and Terranova Security solutions can aid organizations in fostering and cultivating a strong cybersecurity culture that remains resilient in the face of these ever-evolving attacks.
Learn more about how to protect your organization against social engineering attacks with Fortra's security awareness solutions.